summaryrefslogtreecommitdiff
path: root/md/writeup/using_iptables.md
blob: 74b073b3cdd3d9d40524e819754bea03749b1922 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
title:Using iptables
keywords:linux,iptables,networking,icmp,ping,block,forward,tcp,udp,netfilter
# Iptables

## Intro

iptables is linux firewall that uses linux kernel netfilters to expose in kernel
stuff to userland. Here is notes how to fulfill various tasks block, forward 
or prank this silly network packets. This is not manual it just research notes
how to get most of your linux box.

### netfiler modules
#### conntrack
Module that allows more specific connection tracking for TCP,UDP,ICMP or others.
The information that conntrack gathers is then used to tell conntrack in which 
state the stream is currently in.

## Protocols
### TCP connection states
| state | timeout |
|---|---|
| NONE 	| 30 minutes |
| ESTABLISHED | 5 days |
| SYN_SENT    | 2 minutes |
| SYN_RECV    | 60 seconds |
| FIN_WAIT    | 2 minutes |
| TIME_WAIT   | 2 minutes |
| CLOSE       | 10 seconds |
| CLOSE_WAIT  | 12 hours |
| LAST_ACK    | 30 seconds |
| LISTEN      | 2 minutes |

Not constant values could change from version to version.

### TCP connection establishment
| handshake | desc |
|---|---|
| SYN     | The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A. |
| SYN-ACK | In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B. |
| ACK     | Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1. |

Once it has seen one packet(the SYN), it considers the connection as NEW. 
Once it sees the return packet(SYN/ACK), it considers the connection as ESTABLISHED.

## Examples

__General cmd flag description__

| Flag | Desc |
| --- | --- |
| -A | Append a new rule to a chain |
| -D | Delete a rule at some position in a chain, or the first that matches |
| -F | Flush the rules out of a chain |
| -L | List the rules in a chain |
| -R | Replace a rule at some position in a chain |
| -I | Insert chain |
| -N | Create a new chain |
| -J | Jump to target |
| -X | Delete an empty chain |
| -P | Change the policy for a built-in chain |
| -Z | Zero the packet and byte counters on all rules in a chain |
| -I | Insert a new rule at some position in a chain |
| -p | To specify protocol (here 'icmp') |
| -s | Ip addr |
| --icmp-type | For specifying type |
| -t | command matching table |
| -j | jump target |
| -i | interface name |
| -m | extra matching rulles |

__Command matching table names__

| table | desc |
| --- | --- |
| filter   | default table INPUT/OUTPUT/FORWARD |
| nat      | new connection created PREROUTING/OUTPUT/POSTROUTING |
| mangle   | specialize packet alternation PREROUTING/OUTPUT/INPUT/FORWARD/POSTROUTING  |
| raw      | configuring exemptions from connection tracking PREROUTING/OUTPUT |
| security | Mandatory Access Control (MAC) networking rules INPUT/OUTPUT/FORWARD |

__Adding rulle targets__

| rulle table | desc |
| --- | --- |
| INPUT       | for packets destined to local sockets |
| OUTPUT      | for locally-generated packet |
| FORWARD     | for altering packets being routed through the box |
| PREROUTING  | for altering incoming packets before routing |
| POSTROUTING | for altering packets as they are about to go out |

__Connection state__

There is possible to match specific states of connections here is a list of 
some of them.

|state | desc |
|---|---|
| NEW         | The NEW state tells us that the packet is the first packet that we see.  |
| ESTABLISHED | The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. |
| RELATED     | The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection.  |
| INVALID     | The INVALID state means that the packet can't be identified or that it does not. |
| UNTRACKED   | This is the UNTRACKED state. |

All connection tracking is handled in the __PREROUTING__ chain, except locally 
generated packets which are handled in the __OUTPUT__ chain. What this means is that
iptables will do all recalculation of states and so on within 
the __PREROUTING__ chain. If we send the initial packet in a stream, 
the state gets set to __NEW__ within the __OUTPUT__ chain, and when we receive 
a return packet, the state gets changed in the __PREROUTING__ chain to 
__ESTABLISHED__,  and so on. If the first packet is not originated by 
ourself, the __NEW__ state  is set within the __PREROUTING__ chain of course. 
So, all state changes and calculations are done within 
the __PREROUTING__ and __OUTPUT__ chains of the nat table. 

### List all rulles

```
iptables -L
```

List iptables rulles with extra output that could be usefull

```
iptables -nL -v --line-numbers
```

### Remove rulle

To delete specific rulle run 

```
iptables -nL -v --line-numbers
```
search for chain and rulle number and delete it with next line

```
iptables -D [chain_name] [line_number]
```

### Load/store rulles

Save iptable rulles to file

```
iptables-save > /tmp/cool.rulles
```

Load rulles from file

```
iptables-restore < /tmp/cool.rules
```

### Remove chain

```
iptales -X chain_name
```

### Block ICMP (No ping) from outside

Createing chain where ping related rules will be located

```
iptables -N ping_in
iptables -t filter -A INPUT -j ping_in
iptables -N ping_out
iptables -t filter -A OUTPUT -j ping_out
```

After creating chains output looks like

```
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ping_in    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ping_out   all  --  anywhere             anywhere            

Chain ping_in (1 references)
target     prot opt source               destination         

Chain ping_out (1 references)
target     prot opt source               destination  
```

#### Block outside ping

Lets block if someone tryes to ping us, juct block usual ping echo request,
not blocking ICMP protocol as such.

```
iptables -A ping_in -p icmp --icmp-type echo-request -j REJECT
iptables -A ping_out -p icmp --icmp-type echo-reply -j DROP
```

#### Block inside ping

If dont whant to use ping, or dont whant that other use pinging

```
iptables -A ping_out -p icmp --icmp-type echo-request -j DROP
iptables -A ping_in -p icmp --icmp-type echo-reply -j DROP
```

### Port forwarding

Forward ports

```
iptables -t nat -A PREROUTING -p tcp --dport <incoming-port> -j REDIRECT --to-port <destination-port>
```

Forward port to different ip

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.5:8080
```

### IP forwarding


Check if ip forwarding is set

```
cat /proc/sys/net/ipv4/ip_forward
```

if _0_ then not, set to _1_

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

```
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.213.174:80
iptables -t nat -A POSTROUTING -j MASQUERADE
```

### Block port

Usefull command to see with ports are used and programm that are using

``` 
netstat -tulpn
```

Here is list of popular protocols and services ports

| Proto | Service | Port | Desc |
| --- | --- | --- | --- |
| TCP     | HTTP   | 80  | plain text internet |
| TCP     | HTTPS  | 443 | SSL'ed plain text internet |
| TCP     | SMPT   | 25  | Simple Mail Transfer Protocol, used for e-mail routing between mail servers |
| TCP     | SSH    | 22  | Secure shell, remote login |
| TCP     | POP3   | 110 | Post Office Protocol used for emailing |
| TCP     | IMAP   | 143 | management of email messages, used for emailing |
| TCP     | DNS    | 53  | domain name resolving protocol |
| TCP/UDP | Telnet | 23  | old school plain text login shell |


If there is some unwanted service running, or you dont whant in future that
it trying to make some connection without your allowance. Lets block port as
such.

```
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
```

### Block IP

#### Incoming ip
Lets block just incoming ip

```
iptables -A INPUT -s 8.8.8.8 -j DROP
```

#### Block by port

Block ip to access specific port

```
iptables -A INPUT -s 8.8.8.8 -p tcp --destination-port 25 -j DROP
```

### Block by UID

There is possble to make iptables basing on user id

```
iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j DROP
```

### Block by state
You can block some ports, but if you whant that ESTABLISHED connections are still
there. Then there is possible to match specific connection state
```
iptables -A INPUT -m state --state NEW -j DROP -s 86.159.18.180
```

### Block TOR

There is quite common that ANNONYMOUSE users have higher chance to abuse services.
Also some website provides list of exit nodes. Here we going to add to new 
iptables chai list of IPs gathered from public source
```
wget -c https://www.dan.me.uk/torlist/ > tor.list
iptables -N TOR
iptables -t filter -A INPUT -j TOR
cat /tmp/tor.list | uniq | sort | xargs iptables -A TOR -j DROP -s
```

### Logging

Log droppend packages

```
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'In2/m '
```

## Playing with system

Lets make our system more secure or lets make some jokes, if you are user in
the system admins could be not happy with this jokes ;].

### Securety related iptable rulles

### Joke iptable rullez



## Links
1. https://en.wikipedia.org/wiki/Iptables  
2. http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html  
3. http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
4. http://crybit.com/iptables-rules-for-icmp/  
5. https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html  
6. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers  
7. https://spin.atomicobject.com/2012/10/01/useful-iptables-port-forwarding-patterns/
8. http://wiki.vpsget.com/index.php/Forward_%28redirect/nat%29_traffic_with_iptables
9. https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
10. http://www.cyberciti.biz/faq/how-to-save-restore-iptables-firewall-config-ubuntu/
11. http://ipset.netfilter.org/iptables.man.html
12. http://gr8idea.info/os/tutorials/security/iptables5.html
13. http://linuxpoison.blogspot.co.uk/2010/11/how-to-limit-network-access-by-user.html
14. http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
15. http://www.iptables.info/en/connection-state.html
16. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Protocol_operation
17. https://tools.ietf.org/html/rfc675
18. https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html
19. https://www.dan.me.uk/torlist/
20. https://www.honeynet.org/node/691
21. http://wiki.lvl1.org/Iptables
22. https://mkirby.org/mkblog/?p=47